QUOTE: Most important was the issue of whether we question the validity of our digital trust mechanisms upon which our software-driven Digital Age has relied for years. Every organization on the face of the earth relies on security controls, be they on the endpoint or the perimeter, to accept downloaded binaries if they are digitally signed. These digital signatures signify that code originated from a given manufacturer and should be allowed… Security industry leaders have long predicted that it would only be a matter of time before cybercriminals would use compromised certificates at scale to camouflage large numbers of malware. McAfee Labs’ third quarter report suggests that we could, in fact, be approaching that state of “at scale” signed malware.

While the leading code signing certificate authorities (CAs) have worked hard to validate the legitimacy of the customers to whom they sell their certificates, the evolution and commoditization of the certificate authority market has spawned an ecosystem of CAs who are decidedly unconcerned with such reputation measures, as well as a web of retailer relationships that make verification and validation difficult for the top root certificate authorities.